Ok. The patch at http://git.goingon.net/?p=perl-ldap.git;a=commitdiff;h=af630673855d88c9a88e1f86ee0d068337562e91
takes advantage of Reverse DNS lookups in krb5_sname_to_prinicipal(); In MIT Kerberos, the ability to do a reverse DNS lookup in krb5_sname_to_principal() appears to be a compile time option. In Heimdal Kerberos, the reverse lookup code doesn’t appear to be there. I recommend that if we are going to use Net::LDAP get the peerhost, and use it as part of the service name, that we modify Net::LDAP to do the reverse DNS and not expect GSSAPI to do it. Or we change our approach in dealing with hosts with round-robin ip addresses. Dale Moore -----Original Message----- From: Dale Moore [mailto:dale.mo...@cs.cmu.edu] Sent: Monday, April 13, 2009 11:36 AM To: 'perl-ldap@perl.org' Subject: Perl Sasl GSSAPI and I am having problems with Net::LDAP and the patch by Dominic Hargreaves referenced at for supporting Round-Robin based LDAP servers. This is the code that is in the Net::LDAP Version 0.39. I am looking for additional understanding or confirmation of the problem. The problem is in supporting SASL GSSAPI KRB5 authentication to the server. In the above patch, we change from calling $sasl->client_new("ldap", $ldap->{net_ldap_host}); To occasionally (often) calling $sasl->client_new("ldap", $ldap->{net_ldapsocket}->peerhost); This change presumably allows SASL to whichever IP address was chosen from the list instead of the more generic round-robin hostname with multiple IP addresses. The net_ldap_host is the domain name, while peerhost is the ip address. For my specific case, it is a change from $sasl->client_new("ldap", "spelt.srv.cs.cmu.edu"); to $sasl->client_new("ldap", "128.2.203.46"); This means that $sasl->host was "spelt.srv.cs.cmu.edu" before the patch is now "128.2.203.46" after the patch. The problem is in how this $sasl->host value is used in Authen::SASL::Perl::GSSAPI . Specifically, in client_start we do my $principal = $self->service . '@' . @self->host; In my specific case, it changes from $principal = 'l...@spelt.srv.cs.cmu.edu' to $principal = 'l...@128.2.203.46' We pass that principal into # GSSAPI::Name->import is the *constructor*, # storing the new GSSAPI::Name into $target. # GSSAPI::Name->import is not the standard # import() method as used in Perl normally my $target; $status = GSSAPI::Name->import($target, $principal, gss_nt_service_name) or return $self->set_error("GSSAPI Error : ".$status); The problem is in how the principal is used. In all of the examples and documentation I can find, we use GSSAPI against a serv...@domain.name and never against serv...@ip.address . Because, with that change, when I use a principal of 'l...@spelt.srv.cs.cmu.edu' it works. But when I do 'l...@128.2.203.46' I get the following error SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text) (Server (krbtgt/2.203...@cs.cmu.edu) I started browsing the GSSAPI source and got lost. Perhaps it is a difference between the MIT Kerberos and our Heimdal kerberos that is causing this problem. But using serv...@ip.address with GSSAPI just seems wrong to me. Kerberos credentials are issued to domains and or hostss and not IP addresses. If you have insight, comments, or questions, please feel free to either - post them on this perl-ldap mailing list, or - contact me personally.
